nach oben

Journal of Network and Systems Management

Erschienen in:

01.04.2023

A Secure IIoT Gateway Architecture based on Trusted Execution Environments

verfasst von: Antônio Augusto Fröhlich, Leonardo Passig Horstmann, José Luis Conradi Hoffmann

Erschienen in: Journal of Network and Systems Management | Ausgabe 2/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Industrial Internet of Things (IIoT) gateways are affected by many cybersecurity threats, compromising their security and dependability. These gateways usually represent single points of failure on the IIoT infrastructure. When compromised, they can disrupt the entire system, including the security of the IIoT devices and the confidentiality and privacy of the data. This paper introduces a Secure IIoT Gateway Architecture that encompasses Trusted Execution Environment concepts and consolidated security algorithms to achieve a secure IIoT environment. Sensitive procedures of the IIoT, like device admission, bootstrapping, key management, authentication, and data exchange among operational technology (OT) and information technology (IT) are handled by the gateway inside the secure execution domain. The bootstrapping does not require devices to have any pre-stored secret or a pre-established secure channel to any trusted third party. Moreover, our architecture includes mechanisms for IIoT devices to safely interact with the Cloud without assuming the integrity of the gateways between them, enabling continuous verification of gateway integrity. A formal proof of the proposed solution security is provided. Finally, the security of the proposed architecture is discussed according to the specified requirements.

Vorheriger Artikel Networking Data and Intelligent Management in the Post-COVID19 Era: A Report on APNOMS 2021

Nächster Artikel Deep-Learning Based Detection for Cyber-Attacks in IoT Networks: A Distributed Attack Detection Framework

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

A platform like this, with the same assumptions and mechanisms, can also be used for OT devices. However, since OT are isolated from the IT by the gateway, trustfulness is often regarded as a function of design, implementation, and operation of such devices and their coordination in an IIoT segment.

The ECDH’s key pair is generated using an elliptic curve, which makes it 10 times more efficient than the traditional Diffie-Hellman for 256 bits ECDH keys [32]. Moreover, this difference increases whenever we increase the size of the key. In [33], the performance of the ECDH algorithm was assessed on an embedded platform featuring a 32-bit, 26MHz ARM7TDMI-S processor with 128kB of flash memory and 96kB of RAM, with execution time in the granularity of a few seconds, which demonstrates the ability of this simple platform to perform such operations. Finally, this key generation is only required once in the proposed bootstrap process, therefore, further key generation will happen very sporadically given the key management procedure.

\(64KB-1B\) is the maximum Data length supported by TSTP [26].

Diro, A.A., Chilamkurti, N., Kumar, N.: Lightweight cybersecurity schemes using elliptic curve cryptography in publish-subscribe fog computing. Mobile Netw. Appl. 22(5), 848–858 (2017). https://doi.org/10.1007/s11036-017-0851-8CrossRef

Cionca, V., Newe, T., Dădârlat, V.T.: Configuration tool for a wireless sensor network integrated security framework. J. Netw. Syst. Manage. 20(3), 417–452 (2011). https://doi.org/10.1007/s10922-011-9219-8CrossRef

Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017). https://doi.org/10.1109/mc.2017.201CrossRef

Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H.H., Radford, A., Sivaraman, V.: Quantifying the reflective DDoS attack capability of household IoT devices. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks—WiSec ’17, pp. 46–51. ACM Press (2017)

Bali, R.S., Jaafar, F., Zavarasky, P.: Lightweight authentication for MQTT to improve the security of IoT communication. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy. ICCSP ’19, pp. 6–12. Association for Computing Machinery, New York, NY (2019)

The Things Network.: LoRaWan security, sponsored by The Things Industry. Retrieved from https://www.thethingsnetwork.org/docs/lorawan/security.html. Accessed 03 Nov 2020

Naoui, S., Elhdhili, M.E., Saidane, L.A.: Lightweight and secure password based smart home authentication protocol: LSP-SHAP. J. Netw. Syst. Manage. 27(4), 1020–1042 (2019). https://doi.org/10.1007/s10922-019-09496-xCrossRef

Pinto, S., Gomes, T., Pereira, J., Cabral, J., Tavares, A.: IIoTEED: an enhanced, trusted execution environment for industrial IoT edge devices. IEEE Internet Comput. 21(1), 40–47 (2017). https://doi.org/10.1109/mic.2017.17CrossRef

Ukil, A., Sen, J., Koilakonda, S.: Embedded security for Internet of Things. In: 2011 2nd National Conference on Emerging Trends and Applications in Computer Science, pp. 1–6. IEEE (2011)

10.

Lesjak, C., Hein, D., Winter, J.: Hardware-security technologies for industrial IoT: TrustZone and security controller. In: IECON 2015—41st Annual Conference of the IEEE Industrial Electronics Society. IEEE, p. 2589–2595 (2015)

11.

Panchal, A.C., Khadse, V.M., Mahalle, P.N.: Security issues in IIoT: a comprehensive survey of attacks on IIoT and its countermeasures. In: 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN), pp. 124–130. IEEE (2018)

12.

Togay, C., Mutlu, G., Kurtulus, D., Özgür, F.: Secure gateway for the internet of things. Avrupa Bilim ve Teknol. Dergisi (2019). https://doi.org/10.31590/ejosat.524783CrossRef

13.

Navarro-Ortiz, J., Sendra, S., Ameigeiras, P., Lopez-Soler, J.M.: Integration of LoRaWAN and 4G/5G for the industrial internet of things. IEEE Commun. Mag. 56(2), 60–67 (2018). https://doi.org/10.1109/mcom.2018.1700625CrossRef

14.

Lin, I.C., Hsu, H.H., Cheng, C.Y.: A cloud-based authentication protocol for RFID supply chain systems. J. Netw. Syst. Manage. 23(4), 978–997 (2015). https://doi.org/10.1007/s10922-014-9329-1CrossRef

15.

Kuo, F.C., Tschofenig, H., Meyer, F., Fu, X.: Comparison studies between pre-shared and public key exchange mechanisms for transport layer security. In: Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications, pp. 1–6. IEEE (2006)

16.

Bienhaus, D., Ebner, A., Jäger, L., Rieke, R., Krauß, C.: Secure gate: secure gateways and wireless sensors as enablers for sustainability in production plants. Simul. Model. Pract. Theory 109, 102282 (2021). https://doi.org/10.1016/j.simpat.2021.102282CrossRef

17.

Sebastian, D.J., Agrawal, U., Tamimi, A., Hahn, A.: DER-TEE: secure distributed energy resource operations through trusted execution environments. IEEE Internet Things J. 6(4), 6476–6486 (2019). https://doi.org/10.1109/JIOT.2019.2909768CrossRef

18.

Lee, S., Heo, M., Park, K., Kim, B., Hong, J.: Enhancing the security of IoT gateway based on the classification of user security-sensitive data. In: Proceedings of the Conference on Research in Adaptive and Convergent Systems. RACS ’19, pp. 241–243. Association for Computing Machinery, New York, NY (2019)

19.

Ling, Z., Yan, H., Shao, X., Luo, J., Xu, Y., Pearson, B., et al.: Secure boot, trusted boot and remote attestation for ARM TrustZone-based IoT Nodes. J. Syst. Architect. 119, 102240 (2021). https://doi.org/10.1016/j.sysarc.2021.102240CrossRef

20.

Tange, K., De Donno, M., Fafoutis, X., Dragoni, N.: A systematic survey of industrial internet of things security: requirements and fog computing opportunities. IEEE Commun. Surv. Tutor. 22(4), 2489–2520 (2020). https://doi.org/10.1109/COMST.2020.3011208CrossRef

21.

Li, J., Tang, X., Wei, Z., Wang, Y., Chen, W., An Tan, Y.: Correction to: Identity-based multi-recipient public key encryption scheme and its application in IoT. Mobile Netw. Appl. (2020). https://doi.org/10.1007/s11036-020-01512-8CrossRef

22.

Lucena, M., Scheffel, R.M., IoT, Fröhlich. A.A..: Protocol, gateway integrity checking. In: IX Brazilian Symposium on Computing Systems Engineering (SBESC), vol. 2019, pp. 1–8. IEEE (2019)

23.

Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). https://doi.org/10.1145/359657.359659CrossRefMATH

24.

Dolev, D., Yao, A.C.: On the security of public key protocols. In: 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981), pp. 350–357. IEEE (1981)

25.

Hu, P., Ning, H., Qiu, T., Song, H., Wang, Y., Yao, X.: Security and privacy preservation scheme of face identification and resolution framework using fog computing in internet of things. IEEE Internet Things J. 4(5), 1143–1155 (2017). https://doi.org/10.1109/JIOT.2017.2659783CrossRef

26.

Resner, D., Fröhlich, A.A.: Design rationale of a cross-layer, trustful space-time protocol for wireless sensor networks. In: 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), pp. 1–8. IEEE (2015)

27.

Scheffel, R.M., Fröhlich, A.A.: FT-TSTP: a multi-gateway fully reactive geographical routing protocol to improve WSN reliability. In: 2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2018)

28.

IEEE: IEEE standard for a precision clock synchronization protocol for networked measurement and control systems. In: IEEE Std 1588–2002, pp.1–154, 31 Oct. 2002. https://doi.org/10.1109/IEEESTD.2002.94144

29.

Resner, D., Fröhlich, A.A.: Speculative precision time protocol: submicrosecond clock synchronization for the IoT. In: 21st IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2016), pp. 1–8. Berlin, Germany (2016)

30.

IEC. Industrial Communication Networks—Fieldbus Specifications—Part 1: Overview and Guidance for the IEC 61158 and IEC 61784 Series. International Electrotechnical Commission, Geneva (2019)

31.

Isobe, T., Shibutani, K.: Preimage Attacks on Reduced Tiger and SHA-2. In: Fast Software Encryption, pp. 139–155. Springer, Berlin (2009)

32.

National Security Agency: The case for elliptic curve cryptography (2005, October 13). Retrieved from https://web.archive.org/web/20051013062853/http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm. Accessed November 3, 2020

33.

Resner, D., Augusto, Fröhlich, A.: Key establishment and trustful communication for the Internet of Things. In: Proceedings of the 4th International Conference on Sensor Networks—SENSORNETS,. INSTICC, pp. 197–206. SciTePress (2015)

34.

Certicom Research: SEC 2: recommended elliptic curve domain parameters (2010, January 27). Retrieved from https://www.secg.org/sec2-v2.pdf. Accessed November 3, 2020

35.

Aziz, B., Hamilton, G.: Detecting man-in-the-middle attacks by precise timing. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 81–86. IEEE (2009)

36.

Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Proceedings of Fast Software Encryption, pp. 32–49. Paris, France (2005)

37.

Resner, D.: Performance Evaluation of the Trustful Space-Time Protocol [M.Sc. Thesis]. Federal University of Santa Catarina. Florianópolis (2018). https://repositorio.ufsc.br/handle/123456789/189296

38.

Carlos, M.C., Martina, J.E., Price, G., Custódio, R.F.: An updated threat model for security ceremonies. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing. SAC ’13, pp. 1836–1843. Association for Computing Machinery, New York, NY (2013). https://doi.org/10.1145/2480362.2480705

39.

Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016, 86 (2016)

40.

Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache Attacks on Intel SGX. In: Proceedings of the 10th European Workshop on Systems Security. EuroSec’17, pp. 1–6. Association for Computing Machinery, New York, NY (2017)

41.

Fröhlich, A.A.: SmartData: an IoT-ready API for sensor networks. Int. J. Sens. Netw. 28(3), 202 (2018). https://doi.org/10.1504/ijsnet.2018.096264CrossRef

Titel: A Secure IIoT Gateway Architecture based on Trusted Execution Environments
verfasst von: Antônio Augusto Fröhlich
Leonardo Passig Horstmann
José Luis Conradi Hoffmann
Publikationsdatum: 01.04.2023
Verlag: Springer US
Erschienen in: Journal of Network and Systems Management / Ausgabe 2/2023
Print ISSN: 1064-7570
Elektronische ISSN: 1573-7705
DOI: https://doi.org/10.1007/s10922-023-09723-6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2023

Network Anomaly Early Warning through Generalized Network Temperature and Deep Learning

Minimizing Resource Allocation for Cloud-Native Microservices

NS-ENFORCER: Enforcing Network Slicing on Radio Access Networks

Fedidchain: An Innovative Blockchain-Enabled Framework for Cross-Border Interoperability and Trust Management in Identity Federation Systems

An Efficient Adaptive Meta Learning Model Based VNFs Affinity for Resource Prediction Optimization in Virtualized Networks

A Survey on the Use of Lightweight Virtualization in I4.0 Manufacturing Environments

Premium Partner